A problem with Packages? Or is it not?
Let us assume the following scenario:
1/ Mr X has hacked the main ftp with debs.
2/ He puts his malicious version of some deb into the pool. He just adds
it in the directory, nothing gets deleted.
3/ Mr X changes proper line in Packages. It is not signed, so the change
remains unknown. Now Packages point to the malicious version of package.
4/ I do 'apt-get update'. Apt download changed Packages file.
5/ Apt upgrades the package with Mr X's version.
6/ Bad things happen.
Is this possible?
In theory, both .dsc and .changes are signed with maintainer key, but
.dsc describes only source files (orig + diff) and .changes does not se
em to be present in pool (I think it gets integrated into Packages,
which can be changed by Mr X without problems). Have I described a real
threat, or there's something I do not know?
I'd appreciate CCs to me, as I do not read this list.
(oo) | Alka SeltzBorg: I can't believe I assimilated the WHOOOOLE |
/ \/ \ | thing!! |
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com